From ee724768e569f96385ca88aa7aa60fc5a67c268b Mon Sep 17 00:00:00 2001 From: Florian Greinacher Date: Wed, 28 Apr 2021 16:07:10 +0200 Subject: [PATCH] fix: pass ECR credentials properly (#9767) * fix: pass ECR credentials properly * Specify type for ECR client config * Add assertion for trace --- .../docker/__snapshots__/index.spec.ts.snap | 36 +++++++++++++++++++ lib/datasource/docker/index.spec.ts | 34 ++++++++++++++++++ lib/datasource/docker/index.ts | 10 +++--- 3 files changed, 76 insertions(+), 4 deletions(-) diff --git a/lib/datasource/docker/__snapshots__/index.spec.ts.snap b/lib/datasource/docker/__snapshots__/index.spec.ts.snap index 6d773f2113fed8..1cbbf983b7e2fd 100644 --- a/lib/datasource/docker/__snapshots__/index.spec.ts.snap +++ b/lib/datasource/docker/__snapshots__/index.spec.ts.snap @@ -110,6 +110,42 @@ Array [ ] `; +exports[`datasource/docker/index getDigest passes credentials to ECR client 1`] = ` +Array [ + Object { + "headers": Object { + "accept-encoding": "gzip, deflate, br", + "authorization": "Basic c29tZS11c2VybmFtZTpzb21lLXBhc3N3b3Jk", + "host": "123456789.dkr.ecr.us-east-1.amazonaws.com", + "user-agent": "https://github.com/renovatebot/renovate", + }, + "method": "GET", + "url": "https://123456789.dkr.ecr.us-east-1.amazonaws.com/v2/", + }, + Object { + "headers": Object { + "accept-encoding": "gzip, deflate, br", + "authorization": "Basic abcdef", + "host": "123456789.dkr.ecr.us-east-1.amazonaws.com", + "user-agent": "https://github.com/renovatebot/renovate", + }, + "method": "GET", + "url": "https://123456789.dkr.ecr.us-east-1.amazonaws.com/v2/", + }, + Object { + "headers": Object { + "accept": "application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.docker.distribution.manifest.v2+json", + "accept-encoding": "gzip, deflate, br", + "authorization": "Basic abcdef", + "host": "123456789.dkr.ecr.us-east-1.amazonaws.com", + "user-agent": "https://github.com/renovatebot/renovate", + }, + "method": "GET", + "url": "https://123456789.dkr.ecr.us-east-1.amazonaws.com/v2/node/manifests/some-tag", + }, +] +`; + exports[`datasource/docker/index getDigest returns digest 1`] = ` Array [ Object { diff --git a/lib/datasource/docker/index.spec.ts b/lib/datasource/docker/index.spec.ts index 80198179ee67e4..b1da20d9f695df 100644 --- a/lib/datasource/docker/index.spec.ts +++ b/lib/datasource/docker/index.spec.ts @@ -255,6 +255,40 @@ describe(getName(), () => { expect(res).toBeNull(); expect(httpMock.getTrace()).toMatchSnapshot(); }); + it('passes credentials to ECR client', async () => { + httpMock + .scope(amazonUrl) + .get('/') + .reply(200, '', { + 'www-authenticate': 'Basic realm="My Private Docker Registry Server"', + }) + .get('/') + .reply(200) + .get('/node/manifests/some-tag') + .reply(200, '', { 'docker-content-digest': 'some-digest' }); + + mockEcrAuthResolve({ + authorizationData: [{ authorizationToken: 'abcdef' }], + }); + + await getDigest( + { + datasource: 'docker', + depName: '123456789.dkr.ecr.us-east-1.amazonaws.com/node', + }, + 'some-tag' + ); + + const trace = httpMock.getTrace(); + expect(trace).toMatchSnapshot(); + expect(AWS.ECR).toHaveBeenCalledWith({ + credentials: { + accessKeyId: 'some-username', + secretAccessKey: 'some-password', + }, + region: 'us-east-1', + }); + }); it('supports ECR authentication', async () => { httpMock .scope(amazonUrl) diff --git a/lib/datasource/docker/index.ts b/lib/datasource/docker/index.ts index a3c4298e62e43a..925258b5b8a3d8 100644 --- a/lib/datasource/docker/index.ts +++ b/lib/datasource/docker/index.ts @@ -1,5 +1,5 @@ import URL from 'url'; -import { ECR } from '@aws-sdk/client-ecr'; +import { ECR, ECRClientConfig } from '@aws-sdk/client-ecr'; import hasha from 'hasha'; import parseLinkHeader from 'parse-link-header'; import wwwAuthenticate from 'www-authenticate'; @@ -113,10 +113,12 @@ async function getECRAuthToken( region: string, opts: HostRule ): Promise { - const config = { region, accessKeyId: undefined, secretAccessKey: undefined }; + const config: ECRClientConfig = { region }; if (opts.username && opts.password) { - config.accessKeyId = opts.username; - config.secretAccessKey = opts.password; + config.credentials = { + accessKeyId: opts.username, + secretAccessKey: opts.password, + }; } const ecr = new ECR(config); try {